www.legalconsortium.org

The Blog

How does the EU’s GDPR apply to hashed data on the blockchain?

Despite blockchain’s superior technical capacity for data privacy and security, lack of control over personal data is a major issue for the many companies subject to the EU’s new digital data privacy law—the General Data Protection Regulation (GDPR)—which comes into effect May 2018.

In May 2015, the European Commission published its Digital Single Market strategy, designed to produce a seamless commercial market across national borders to improve online access to goods and services, set a level playing field for competing firms, and spur economic growth. As part of this regulatory harmonization, the EU adopted the GDPR to facilitate net neutrality, cloud computing, access to big data and protection of citizens’ personal data.

Traditionally, Europe has followed stricter standards of data privacy than their American counterparts who often place a stronger emphasis on free expression and access to information. The GDPR focuses on digital identity governance, to give citizens more control of their personal data, limit the scope of lawful data processing by “data controllers” and enforce 1) a right to erasure of data, aka the “right to be forgotten,” 2) a right to data portability, and 3) a right to consent to uses of one’s personal data.

Enter blockchain, dubbed “data protection by design and default” in which data is either two-way encrypted, so as to be unreadable without a private key, or “hashed” in one direction. Blockchain hashing is very important for commercial functions like automated cross-border authentication of documents that do not contain personally identifiable information. But what happens when personal data is being processed in a blockchain?

The GDPR does not apply to anonymized data that cannot be traced back to an individual person. But hashing of personal data such as an ID card or medical record accomplishes only pseudonymisation, not anonymisation. GDPR protects pseudonymised data because of the “linkability” of an unreadable hash. Encrypted personal data might also be protected by the GDPR. Re-use of public keys, which were designed to identify a corporate entity in a blockchain transaction, could in other circumstances identify a private individual party to a transaction.

As a distributed ledger technology, transactions on a blockchain are permanently recorded in multiple nodes globally, data is immutable and cannot be compromised or deleted. Blockchains maximize transparency through public verification, thereby reducing vulnerability to fraud and cyberattacks. Financial applications such as cryptocurrencies transfer assets such as bitcoins directly peer to peer without a central intermediary, such as a bank. This makes it difficult to identify a responsible “data controller” in a non-permissioned system, much less hold them legally accountable.

The use of blockchain technology in the public and legal sectors has resulted in a variety of applications, including digital registries for marriages, land ownership and social services, as well as smart contract engines, commercial transactions, copyright enforcement, and genomics research. While blockchain offers valuable new opportunities for ensuring the quality of big data sets for machine learning and business cybersecurity through cryptography, digital signatures, and traceability, legal stumbling blocks over compliance with the GDPR abound.

In anticipation of client needs, at least one law firm has published a guide to blockchain compliance with global data protection regulations like GDPR with its broad reach well beyond Europe. It references analytical tools like the open source hyperledger and Corda, a commercial distributed ledger for frictionless commerce.

Another interesting development to come out of Europe is the Luxembourg Institute of Science and Technology’s patent application for a solution that empowers a provider of data to trace every incident of access to it by partners in the chain. A clinical research consortium that exchanges genomics data is cited as one practical application of this solution.

Deloitte, concluding that the GDPR may “create boundaries” for blockchain applications, observes that destruction of any data in a block, even for purposes of correcting or updating obsolete entries, destroys the integrity of the entire chain. With blockchain data, an essential characteristic seems to be “yes, and,” never “not, anymore.” Zero Knowledge Proofs (ZKP) is a technique designed to protect private data on a public blockchain by allowing the creator of transaction to validate it without revealing other information like the sender’s or receiver’s address or the amount.

Some GDPR-oriented solutions rely on blockchain as an access control mechanism for public verification of data access claims. But some purists argue that the appointment of a trusted administrator to alter ledger blocks in a chain may undermine the integrity of the whole system, and negate its core benefits. Andries VanHumbeeck describes this paradox in detail in his November 2017 post in the Ledger.

While the complexity of many solutions for blockchain compliance with GDPR may risk undermining some benefits of the technology, global companies using blockchain technology must deal proactively with emerging regulatory frameworks, even those not designed with blockchain in mind.